Microsoft's default behavior is to assign "Administrators" as the owner
of any file or folder when that file or folder is created with an
administrative account (Any member of Administrators). In an AD
environment, this includes the "Domain Admins" group and all of its
members too because any time a computer account is joined to the domain,
one of the things that happens during this process is to add "Domain
Admins" to the local computer's Administrator's group. (Source:
https://technet.microsoft.com/en-us/library/cc961992.aspx)
This behavior is the reason why we have a large number of files and
folders that are owned by that builtin\Administrators group.
Samba, while happy to replace mapped group ID's with user ID's when
assigning ownership of non-builtin groups, refuses to do so for the
builtin groups, but it's not clear why.
Example of AD groups being assigned as owner working:
"getent group 'DOMAIN\Domain Admins'" returns:
DOMAIN\domain admins:x:20512:(along with all the users that are member
of this group.)
Yet, even though getent sees this is a group, I can use this id for the
owner of a folder:
chown "DOMAIN\Domain Admins" CoreLib/
ls -lnd CoreLib/
d---------+ 2 20512 90000001 5 Dec 8 11:59 CoreLib//
If I do a reverse lookup of the numeric id as both a user or group, I
see why this works:
id -u 'DOMAIN\Domain Admins'
20512
id -g 'DOMAIN\Domain Admins'
20512
chown is not using the group id, it's using a user id that's the same as the
group id. I assume Samba does this slight of hand because Windows doesn't differentiate between users and groups the way that nix does.
So lets try with BUILTIN\Administrators instead:
"getent group 'BUILTIN\Administrators'" returns this:
BUILTIN\administrators:x:90000001
However, doing a reverse lookup shows the problem:
id -u 'BUILTIN\administrators'
id: BUILTIN\administrators: no such user
id -g 'BUILTIN\administrators'
BUILTIN\administrators:x:90000001
So while the system is perfectly fine assigning "DOMAIN\Domain Admins' as both an owner and a group:
chgrp 'DOMAIN\Domain Admins' CoreLib/
ls -lnd CoreLib/
d---rwx---+ 2 20512 20512 5 Dec 8 11:59 CoreLib//
ls -lad CoreLib/
d---rwx---+ 2 DOMAIN\domain admins DOMAIN\domain admins 5 Dec 8 11:59
CoreLib//
The same is impossible because there is no mirrored
BUILTIN\administrators user id internal to Samba.
This breaks the behavior Microsoft documented in that URL above.

I'm pretty sure this works if you use a idmap backend that
supports ID_TYPE_BOTH. Currently this is only supported
by the "rid", "autorid" and "script" (if the script supports it)
on a member or standalone server. It should always work
on an active directory domain controller.

Stephan,
Is there anything more I can do here for you? Can you confirm that it is indeed possible to assign builtin\groups as owners using backends with ID_TYPE_BOTH?
Also, isn't it still considered a bug if tdb doesn't support this? I mean if Samba isn't performing like a similarly configured Windows machine, should that be considered a bug?